Why are cross-domain POST requests allowed?

Question

I understand that best practice is to use tokens to prevent CSRF, but why do browsers permit cross-site POST requests in the first place? It seems like giving untrusted parties unfettered write access to your server is a bad idea.

The W3's site says that "Under the same-origin policy, cross-site sending of information is also dangerous since it enables attacks such as cross-site request forgery (CSRF) and clickjacking. The same-origin policy cannot address these security vulnerabilities in the same way it does those around receiving of information since prohibiting cross-site sending of information would prohibit cross-site hyperlinks." [1]

But this seems like a false dichotomy. We could disallow cross-site POSTs while still allowing hyperlinks, which are GETs.

[1] https://www.w3.org/Security/wiki/Same_Origin_Policy

@curiousguy the ability to make POST requests on the user's behalf — Michael Gummelt, Sep 30 '19 at 18:18

score -1 · Answer 1 · answered Jun 11 '18 at 04:09

-1

It seems like giving untrusted parties unfettered write access to your server is a bad idea.

I guess that would be true unless your entire business model depended on it:

https://disqus.com [comment on this]
http://Facebook.com [like this]
https://twitter.com [tweet this]
https://ads.google.com [support this]

answered Jun 11 '18 at 04:09

CaffeineAddiction

7,517
2
20
40

These servers could opt-in to cross-origin POSTs, much like they do with the Access-Control-Allow-Origin header – Michael Gummelt Sep 30 '19 at 18:13

Why are cross-domain POST requests allowed?

1 Answers1